In one of my projects I saw that the Microsoft.Csharp reference is not found.
It was strange because for other projects the reference is resolved fine.
Resolution: Somehow my current project framework got pushed to v3.5.
I changed it to v4.0 and that fixed the issue.
It is important that you save the changes before the project framework is changed because the project will re load and you may lose any unsaved work.
I created a website in ASP.Net and published it to a location in the hard drive within the default projects folder of VS2010 (C:\Users\\Documents\Visual Studio 2010\Projects\\PrecompiledWeb).
This was a simple website project, nothing fancy, that looked like this:
I created an Application in IIS 7.5 under local host (Root -> Sites -> Default Website) and provided the physical path of the website to the location of my precompiled bit. By default the AppPool used is the DefaultAppPool that by default runs on the AppPoolIdentity. But when I try to access the site I got the following:
For me this error kept cropping up and the reason was that the account on which the app pool was running did not have access to the physical location of the website files. You can check the account by going to Application pool node -> Select the app pool -> click Advanced settings on the left menu and scroll down. Ensure that you provide read access to the physical location. Once you do the error goes away.
|
Error 3 Error 5: The ‘Namespace’ attribute is invalid – The value ‘‘ is invalid according to its data type ‘http://schemas.microsoft.com/ado/2008/09/edm:TNamespaceName’ – The Pattern constraint failed. |
This error may come up when you try to add a new blank “Ado.Net Entity Data Model” to your project and name the EDM with a character line _(underscore),-(hyphen), etc. in the name. I got this for this two values and there must be more.
The way to solve this error is to name the EDM without any special character in it.
This is for the records J
Entity Framework 4.0: Pluralize or singularize generated object names
One of the main additions to the Entity Framework 4.0 is the checkbox shown in the screenshot below:
Pluralize or singularize generated object names
In the previous versions of Entity Framework, by default the Entity Set Name and Entity Name were same, shown the screen shot below:
This caused a lot of confusion for the developers when they started coding against the model.
In Entity Framework 4.0 a new feature has been introduced via the check box mentioned above. This check box is selected by default and provides, amongst others, for the pluralization or singularization of the Entity name. This checkbox practically follows the rule wherein it marked all Entity Types as singular and the Entity Set name as plural. Below is an example wherein this checkbox has been used to pluralize the Entity Set Name. You can uncheck the control to get back to the older – both name same format.
The focal point of a PKI setup is the Certificate Authority, CA. The CA works as the Management hub for the digital certificates.
Considering that load on the CAs, some setup use an additional server called the Registration Authority (RA). The RA takes off some of the load from the CA by handling the verification of the data submitted to CA before the issue of the digital certificates. The RA acts as an interface between the user and the CA. The RA is generally found in the hierarchical model where the work load of the CA may need to be offloaded.
One of the main requirements of PKI is to be able to store public keys and certificates at a location that can be accessed by public. The public and the private key is created at the same time using the same predefined algorithm.
A digital certificate is a collection of predefined information related to the a component of the PKI setup, called the Public Key. The digital certificates use the X.509 standards. The X.509 standards allows the association between the users Distinguished name and the public key. The Distinguished Name is provided by the Naming authority and is used as a unique number while creating the certificate. A X.509 certificate generally contains the following:
Certificate Policy is the set if rules that indicate how exactly the certificate may be used. The CP is a plain text document that is assigned a unique object id so that anyone can reference it. A certificate can be used under multiple policies. For example, a digital certificate can be sued for:
Certificate Practice Statements explain how to implement the Certificate Policy. It describes how the CA plans to manage the certs it issues. All CAs should have CPS.
Digital certificates are revoked when the information they contain are no longer valid or trusted. The most common reason for the revocation of the digital certificates is the compromise of the private key. Note that certificate Revocation is different from Certificate expiration. A certificate can be revoked by the CA by confirming with the certificate owner or the PKI administrator.
Certificate Revocation List: X.509 standards require that a CRL gets published. CRLs contain the revocation status of =certificates that the CA manage. CRLs can be:
OCSP- Online Certificate Status Protocol: Returns the following details about a certificate queried:
….
Recently I flunked an interview wherein the interviewer was asking lots of questions around threat models. While I will not be putting any of those questions here, I did do my “after the horse bolted” type of post mortem and have come up with a list of questions that anyone who works with design of web application should be aware of.
First the obvious one 
What is Threat Modeling?
Well It’s a hot buzzword these days in the world of Information technology security. Threat modeling is a structured approach to analyze your web application design and identify threats against your system. Hmnn of…you said THREAT? Threat model is very useful in identifying security issues related to design early in the application development lifecycle and thus makes mitigating those issues less costly as compared to identifying in the, say Verification phase.
So what is a Threat? Threat is a possible harm that can be caused to an Asset (anything of importance that needs protection; from a web application perspective it may be user passwords, keys, financial information, etc.)
Where and when do you start Threat Modeling? A good point to start threat modeling is just after you are done with the functional and technical design document of your application. Having said that it is never to late for you to start, if not in the current release, this may help in the next.
What are the general steps involved in Threat Modeling?
The threat modeling process should ideally start with a brain storming session to answer the following questions (by not means an exhaustive list..so think think think):
While doing the threat model of an application (or anything) think like an attacker who is trying to sabotage your app. Find ways on subverting your system’s weaknesses. This will help you create an Attack Tree (a What??????)
Once you have identified the threats, what’s next? Remember risk can never be erased fully, you can only Transfer/Accept/Ignore the risk. And that’s exactly what you do once you have identified the threats. A good threat model will have ALL the identified threats reviewed and updated as Ignore/Accept/Transfer.
—–)0(—————–)0(—————–)0(—————–)0(————
Authentication is the one of the fundamental requirements for ensuring security of important assets. Authentication is the process of validating the identity of an object trying to access an asset. Authentication can be done based on the implementation of one or more the following:
When attempting to authenticate a user/application several industry standard types of authentication may be used depending on various conditions that exists on a subjective basis.
Various types of authentication protocols that is supported by Microsoft Windows Server 2003 family includes:
Kerberos v5 authentication protocols: This protocol is either used with password or a smart card for interactive logon. It is also the default method for network authentication of services. The process works like this:
So the Kerberos v5 authentication protocol has the following main parts:
The Kerberos v5 services are installed on each domain controller and a Kerberos client is installed on each workstation and server.
Each domain controller acts as a KDC. The client service uses the DNS to look up for the nearest nearest domain controller and in turn the nearest KDC.
Beginning Windows Server 2003, Kerberos is implemented as a SSP (Security Service Provider) that can be accessed using the SSPI (Security Support Provider Interface)
SSL/TLS authentication Protocols: TLS/SSL authenticates and secures data transfer by using certificate based authentication and symmetric encryption keys. Windows Server 2003 onwards, SSL/TLS protocols are implemented as a Security Service Providers (SSP) using dynamic link libraries that are called SChalnnels that is supplied with the OS implementation. Which one gets used is decided based on the capability of the computer on the other side of the connection. The default SSPs for Windows Server 2003 include the following: Kerberos, Digest, NTLM, SChannel and Negotiate authentication protocols as DLLs in the SSPI.
SChannel SSP is used to access web enabled services such as emails and personal information served over the internet on web pages. The SChannel SSP uses the public key encryption to authenticate parties. It included four authentication protocols that it supports:
Schannel then selects the most preferred authentication protocol that both parties can support.
TLS/SSL Architecture: TLS/SSL protocols are layered between the Application layer and the TCP/IP layer, where it can secure and send the application data to the transport layer for farther transport. Just because TLS/SSL works between the application layer and the transport layer it can support multiple application layer protocols.
TLS/SSL assumes that TCP/IP is in use. The main advantage of using TLS/SSL is that it provide the following:
The step by step of how SSL/TLS works:
NTLM Authentication: NTLM is the abbreviation for Windows NT LAN Manager This is a Windows network authentication protocol that uses challenge/response system to allow a client to prove its identity without sending the password over the network. NTLM is the authentication protocol for computers that are not participating in a domain, such as stand-alone servers and workgroups. NTLM is a challenge-response authentication protocol which uses three messages to authenticate a client in a connection oriented environment (connectionless is similar), and a fourth additional message if integrity is desired.
Kerberos has mostly replaced NTLM in domain controller environment within AD implementation, but NTLM still find wide spread usage in environments where the domain controller is unavailable or reachable.
Reference: http://technet.microsoft.com
Phishing is one of the fastest growing threats of identity theft and abuse on the internet. It is so prevalent that almost any site of importance will have a warning mentioned somewhere to be careful about phishing attacks.
The very basis of Phishing attacks are phony websites that will give a perfect actual site like feeling to the user. This way the attackers manage to fool the user and get the important personal and financial information ranging from SSNs to credit card details.
Often phishing requests are sent over innocent looking emails that reflect the actual emails sent out by the legitimate organizations, requesting users for information. A not so tech savvy user may not be careful enough and hence loss of important information happens.
To fight against phishing scams, Microsoft has taken a number of steps that include:
1. Including SenderID to all of its email email products and services
2. The Phishing filter (SmartScreen filter)
Per MSDN:
The Sender ID Framework is an e-mail authentication technology protocol that helps address the problem of spoofing and phishing by verifying the domain name from which e-mail messages are sent. Sender ID validates the origin of e-mail messages by verifying the IP address of the sender against the alleged owner of the sending domain.
The SmartScreen filter is a feature of Windows Internet Explorer 8. It is designed to help protect the user from fraudulent websites trying to steal personal information. SmartScreen filter also helps protect from installing malicious software or malware.
SmartScreen filter helps to protect you in three key ways:
Cross site scripting (aka XSS) is one of the most prevalent web application security issue. In OWASP top 10 for 2010, cross site featured prominently in number 2.
Considering the damage that a successful cross site scripting attack is capable of doing, almost all the successful commercial browsers have tried to provide security features that makes it difficult to execute a successful cross site scripting attack. One of the main ways this attack is carried out is by exploiting the browser’s capability for executing scripts.
Starting Internet Explorer 6 SP1, a new attribute is introduced to the cookies to counter the menace of XSS.
This attribute makes the cookie inaccessible to the scripts, thus stopping malicious script code from executing. The cookies with this attribute set are called HTTP only cookie.
A cookie is set on the client with an HTTP response header.
Set-Cookie: =[; =]
[; expires=][; domain=]
[; path=][; secure][; HttpOnly]
The HttpOnly attribute is not case sensitive and it is important to be noted that this feature must be used in coordination with other XSS mitigation to effectively counter XSS, like:
1. Proper input validation.
2. Adequate output encoding whenever any possible user controlled values are rendered back to the browser.
The main class of vulnerability that is detected and patched on Internet Explorer 8 for Windows server include is Remote Code Execution
As of this writing the latest patch came out on Feb 8, 2011 that contained fixes for the a number of issues. Some of these include:
CSS Memory Corruption Vulnerability.
Per CVE-2010-3971 this issue came up because of a vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, that is used in Microsoft Internet Explorer 6 through 8 and other products. This vulnerability allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a self-referential @import rule in a style sheet.
Uninitialized Memory Corruption Vulnerability.
Per CVE-2011-0035 Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption.
Almost all the issues reported lead to remote code execution that if successfully exploited could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Random Thoughtz 